2026-04-01 @edef informs the Nix team about the security problem
2026-04-01 @xokdvium first reaches out to me about the disclosure
2026-04-02 @xokdvium proposes the first patch series
2026-04-02 @xokdvium and @hexa discuss possible disclosure timeline, to skip easter weekend, candidate: Wednesday 2026-04-08
2026-04-02 @xokdvium and @hexa discuss remediation options for the build farm with the conclusion that temporarily using Lix as the nix.package is the simplest workaround
2026-04-03 @hexa briefly informs the infra team and begins migrating builders
2026-04-03 Nix Team sets release date as Tuesday 2026-04-07.
2026-04-07 Nix Team joins a call around 16:00 UTC to make the release.
The patches went live on 2026-04-07 around 17:19 UTC.
The releases were tagged on 2026-04-07 from 19:02 to 19:55 UTC and subsequently nixpkgs was updated with the new releases.
I think the information in the original post needs to be updated. In the āAm I affected?ā section it says that a minimum of 2.31.4 is needed in the 2.31.x series (which is what we have in NixOS right now). However, the version that was released to the channels is numbered 2.31.3+1. I wasted a lot of time trying to find out how to get 2.31.4 and wondering why the channels seemed to be taking so long to update when I had the fixed version all along. I think the information for people not deeply immersed in the ecosystem could have been more helpful.
It seems that my problem was that Iām on nixos-unstablewhich hasnāt caught up yet. nixos-unstable-small now has 2.31.4. Apologies for the distraction.
If you change your config or cherry-pick the commits into a fork, you can get the fix immediately and that are the same options for everyone as the infra team has. Hexa is in the infra and security team, so a collab there is natural and fixes might there be implemented early because of the size of the possible blast radius. I also think it is quite natural to plan and time such a security release to not be straight before eastern and at the same time fix the nixos infra immediately with some vague explanations.
So disclosing it earlier would have meant that a few people could have patched earlier and the majority would have been left with an infected system over the holidays. This was the reasoning. I donāt get why you are against patching the infra because if it would get infected it would have been a big deal.
Iām not against patching the infra, Iām against withholding the patch from everyone else on the grounds that thatās in somehow more responsible. After all
But it was not public. So you suggestion is that it would be preferable to announce it right before the holidays so every body knows but many might not be able to patch? Just for the few to benefit that have nothing better to do during the holidays?
I was not saying I was celebrating Easter, I did not. I said waiting for the holidays for a one day old CVE does make sense to me. Could have been Chinese New Year or other holidays as well if they effect the majority of the users. Waiting for those would make sense to me as well. For me it is about reviewing the possibilities and the involved risks and then make a decision (which always will be a compromise). it might not be the decision you would have made but it is understandable.
Or really, if I start being serious and professional: For fuckās sake peopleā¦ Thereās no Lix conspiracy. Are you really looking to bully the volunteer lead of the infrastructure team out of the project for their assumedly genuinely neutrally-made technical decisions again?
I trust the NixOS infrastructure team, and stand behind the decisions they take. I also trust that they have been as transparent as the disclosure process allowed them to be.
Thank you @hexa for your thankless work. I sincerely hope some terminally angry guys online wonāt push you over the edge to leave your role in the project. (Thanks extended to other infrastructure peeps in the loop, but none were named here.)
To clarify, the temporary switch to Lix has been ackād between me and @hexa on Friday 3rd by the time I had the initial patches ready for master, backports were done shortly after (not including the landlock stuff on top - that was done on Sunday).
That is a perfectly reasonable decision based on the circumstances and technical reasons (tracking down all versions of Nix to apply patches to is error-prone). It was pretty clear that infra could take flak again for switching to Lix for technical reasons ā that is quite overblown and unwarranted. I tried to make it clear in the post that this has been done at Nix teamās request ā to ensure that we have enough time for QA and preparing the backports ā while ensuring the safety of NixOS infrastructure.
I think it would be nice if announcements provided instructions on how to update their systems to used the latest patched version (a link to wiki would suffice).
Given that PRs take a while to propagate through official channels (stable\unstable) simple channel (or nix flake) update is not going to do the job. Pointing your entire system at a branch\commit which hasnāt been built and cached yet is also not a solutions since that owuld mean rebuilding the world. But itās not that bad if you can build only nix itself from source (against whatever nixpkgs commit you are using).
PS: just noticed that there is a hydra jobset for nixos/nix so one can get latest nix from cache by removing the follows above. This can be quickly confirmed with:
> nix build --dry-run github:nixos/nix/2.34.5
these 62 paths will be fetched (24.0 MiB download, 95.8 MiB unpacked):
...
Should this be documented somewhere or am I missing something?
Or is this reactionary FUD being built around the sensible and well-planned decisions of the infrastructure people by